5a024b04af410148ddeefd9ed8f5714ff615a75256fb18e42463c498399bbdfc

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-09-2024 23:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a024b04af410148ddeefd9ed8f5714ff615a75256fb18e42463c498399bbdfc.exe
Size

1.1MB
MD5

06effd3bdd7247747398b736b8f9e1ff
SHA1

3d3fcd61a50ac798fef0c25b6ebadbb0c7ec690e
SHA256

5a024b04af410148ddeefd9ed8f5714ff615a75256fb18e42463c498399bbdfc
SHA512

4a5d8f5d2072c218884daaaabdc852aad0b9c34a9520c70006d3e8f4e17430f6367e72ec77d28f25c3c13126761165a5353aa88762a5fe69844aa4fa373c5d0b
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q3:acallSllG4ZM7QzMQ

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3068	svchcst.exe

Executes dropped EXE 24 IoCs

pid	Process
3068	svchcst.exe
1264	svchcst.exe
2736	svchcst.exe
704	svchcst.exe
2256	svchcst.exe
1872	svchcst.exe
1612	svchcst.exe
1520	svchcst.exe
2248	svchcst.exe
2884	svchcst.exe
1416	svchcst.exe
704	svchcst.exe
1536	svchcst.exe
2344	svchcst.exe
1936	svchcst.exe
2324	svchcst.exe
2540	svchcst.exe
2728	svchcst.exe
1564	svchcst.exe
2800	svchcst.exe
704	svchcst.exe
1476	svchcst.exe
2312	svchcst.exe
2024	svchcst.exe

Loads dropped DLL 43 IoCs

pid	Process
2656	WScript.exe
2656	WScript.exe
2856	WScript.exe
1996	WScript.exe
1996	WScript.exe
604	WScript.exe
1996	WScript.exe
604	WScript.exe
1976	WScript.exe
1976	WScript.exe
1896	WScript.exe
1896	WScript.exe
1968	WScript.exe
1968	WScript.exe
2372	WScript.exe
2192	WScript.exe
2192	WScript.exe
264	WScript.exe
2036	WScript.exe
2036	WScript.exe
2036	WScript.exe
3052	WScript.exe
3052	WScript.exe
2332	WScript.exe
2332	WScript.exe
2700	WScript.exe
2700	WScript.exe
1684	WScript.exe
1684	WScript.exe
2648	WScript.exe
2648	WScript.exe
1120	WScript.exe
1120	WScript.exe
1852	WScript.exe
1852	WScript.exe
2112	WScript.exe
2112	WScript.exe
848	WScript.exe
848	WScript.exe
1588	WScript.exe
1588	WScript.exe
2100	WScript.exe
2100	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5a024b04af410148ddeefd9ed8f5714ff615a75256fb18e42463c498399bbdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2660	5a024b04af410148ddeefd9ed8f5714ff615a75256fb18e42463c498399bbdfc.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2660	5a024b04af410148ddeefd9ed8f5714ff615a75256fb18e42463c498399bbdfc.exe

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
2660	5a024b04af410148ddeefd9ed8f5714ff615a75256fb18e42463c498399bbdfc.exe
2660	5a024b04af410148ddeefd9ed8f5714ff615a75256fb18e42463c498399bbdfc.exe
3068	svchcst.exe
3068	svchcst.exe
1264	svchcst.exe
1264	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
704	svchcst.exe
704	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
1872	svchcst.exe
1872	svchcst.exe
1612	svchcst.exe
1612	svchcst.exe
1520	svchcst.exe
1520	svchcst.exe
2248	svchcst.exe
2248	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
1416	svchcst.exe
1416	svchcst.exe
704	svchcst.exe
704	svchcst.exe
1536	svchcst.exe
1536	svchcst.exe
2344	svchcst.exe
2344	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
1564	svchcst.exe
1564	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
704	svchcst.exe
704	svchcst.exe
1476	svchcst.exe
1476	svchcst.exe
2312	svchcst.exe
2312	svchcst.exe
2024	svchcst.exe
2024	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2656	2660	5a024b04af410148ddeefd9ed8f5714ff615a75256fb18e42463c498399bbdfc.exe	31
PID 2660 wrote to memory of 2656	2660	5a024b04af410148ddeefd9ed8f5714ff615a75256fb18e42463c498399bbdfc.exe	31
PID 2660 wrote to memory of 2656	2660	5a024b04af410148ddeefd9ed8f5714ff615a75256fb18e42463c498399bbdfc.exe	31
PID 2660 wrote to memory of 2656	2660	5a024b04af410148ddeefd9ed8f5714ff615a75256fb18e42463c498399bbdfc.exe	31
PID 2656 wrote to memory of 3068	2656	WScript.exe	33
PID 2656 wrote to memory of 3068	2656	WScript.exe	33
PID 2656 wrote to memory of 3068	2656	WScript.exe	33
PID 2656 wrote to memory of 3068	2656	WScript.exe	33
PID 3068 wrote to memory of 2856	3068	svchcst.exe	34
PID 3068 wrote to memory of 2856	3068	svchcst.exe	34
PID 3068 wrote to memory of 2856	3068	svchcst.exe	34
PID 3068 wrote to memory of 2856	3068	svchcst.exe	34
PID 2856 wrote to memory of 1264	2856	WScript.exe	35
PID 2856 wrote to memory of 1264	2856	WScript.exe	35
PID 2856 wrote to memory of 1264	2856	WScript.exe	35
PID 2856 wrote to memory of 1264	2856	WScript.exe	35
PID 1264 wrote to memory of 1996	1264	svchcst.exe	36
PID 1264 wrote to memory of 1996	1264	svchcst.exe	36
PID 1264 wrote to memory of 1996	1264	svchcst.exe	36
PID 1264 wrote to memory of 1996	1264	svchcst.exe	36
PID 1996 wrote to memory of 2736	1996	WScript.exe	37
PID 1996 wrote to memory of 2736	1996	WScript.exe	37
PID 1996 wrote to memory of 2736	1996	WScript.exe	37
PID 1996 wrote to memory of 2736	1996	WScript.exe	37
PID 2736 wrote to memory of 604	2736	svchcst.exe	38
PID 2736 wrote to memory of 604	2736	svchcst.exe	38
PID 2736 wrote to memory of 604	2736	svchcst.exe	38
PID 2736 wrote to memory of 604	2736	svchcst.exe	38
PID 1996 wrote to memory of 2256	1996	WScript.exe	39
PID 1996 wrote to memory of 2256	1996	WScript.exe	39
PID 1996 wrote to memory of 2256	1996	WScript.exe	39
PID 1996 wrote to memory of 2256	1996	WScript.exe	39
PID 604 wrote to memory of 704	604	WScript.exe	40
PID 604 wrote to memory of 704	604	WScript.exe	40
PID 604 wrote to memory of 704	604	WScript.exe	40
PID 604 wrote to memory of 704	604	WScript.exe	40
PID 2256 wrote to memory of 1976	2256	svchcst.exe	41
PID 2256 wrote to memory of 1976	2256	svchcst.exe	41
PID 2256 wrote to memory of 1976	2256	svchcst.exe	41
PID 2256 wrote to memory of 1976	2256	svchcst.exe	41
PID 1976 wrote to memory of 1872	1976	WScript.exe	42
PID 1976 wrote to memory of 1872	1976	WScript.exe	42
PID 1976 wrote to memory of 1872	1976	WScript.exe	42
PID 1976 wrote to memory of 1872	1976	WScript.exe	42
PID 1872 wrote to memory of 1896	1872	svchcst.exe	43
PID 1872 wrote to memory of 1896	1872	svchcst.exe	43
PID 1872 wrote to memory of 1896	1872	svchcst.exe	43
PID 1872 wrote to memory of 1896	1872	svchcst.exe	43
PID 1896 wrote to memory of 1612	1896	WScript.exe	44
PID 1896 wrote to memory of 1612	1896	WScript.exe	44
PID 1896 wrote to memory of 1612	1896	WScript.exe	44
PID 1896 wrote to memory of 1612	1896	WScript.exe	44
PID 1612 wrote to memory of 1968	1612	svchcst.exe	45
PID 1612 wrote to memory of 1968	1612	svchcst.exe	45
PID 1612 wrote to memory of 1968	1612	svchcst.exe	45
PID 1612 wrote to memory of 1968	1612	svchcst.exe	45
PID 1968 wrote to memory of 1520	1968	WScript.exe	46
PID 1968 wrote to memory of 1520	1968	WScript.exe	46
PID 1968 wrote to memory of 1520	1968	WScript.exe	46
PID 1968 wrote to memory of 1520	1968	WScript.exe	46
PID 1520 wrote to memory of 2372	1520	svchcst.exe	47
PID 1520 wrote to memory of 2372	1520	svchcst.exe	47
PID 1520 wrote to memory of 2372	1520	svchcst.exe	47
PID 1520 wrote to memory of 2372	1520	svchcst.exe	47

C:\Users\Admin\AppData\Local\Temp\5a024b04af410148ddeefd9ed8f5714ff615a75256fb18e42463c498399bbdfc.exe
"C:\Users\Admin\AppData\Local\Temp\5a024b04af410148ddeefd9ed8f5714ff615a75256fb18e42463c498399bbdfc.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1264
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:604
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:704
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2248
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2884
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:264
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1416
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:704
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1536
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2344
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1936
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2324
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2540
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2728
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1120
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1564
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1852
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2800
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:704
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:848
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1476
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2312
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2024
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
4e0898fd573444c8a1ca405f56d91202

SHA1
923b94de569e6182b7bdef50dc667e09c21718f1

SHA256
3e64631f55d22f8d4e11a5f0b2436b8f34eef620b33b507a0042531fe18f5a73

SHA512
a17085d5e4c70dfa5a9fb97002b5dc3117602896d5d12c83b7bd04c54234563c43ea9692523d093a82c43b8531da26bc2269edfd276a2f15f0c42b2b8936551b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0667072f0b99c114be29b17a58be850a

SHA1
8ec8d5ba1f5842c2f07a4332fb04ba60b0bc7143

SHA256
002841eff29a50e5cf34cf60cfb5bbbf780c4d2f8809016ab22a0e084fc10d07

SHA512
5e0c61897463fd935f2e0420389e4d7c6b08232e63175ccc96db2b6f3d294e9196bc5efd6445ccc8f460efc0791c13ea040b36ce3130f12e414a3ab7b678dfd9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1cd04c63c025f0297f2ae60e978d92a1

SHA1
047246564f4b2ab71494a82cef25f5bcdeb63469

SHA256
c5d481502d8e9429512066a0eb058459e0d7d60fbfc4aed5169b3ea47966c9ed

SHA512
dede45f2ae3b7da526e64e82f5e550d9f29d7ad0409fe97a0067bcd8ad70859a8f05441dcad0f2364710f8d9bf58997ffea6874b4797948b61486570394325a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e941c404604f780e37c7e63233301fa0

SHA1
d27c9a3b90881add1a06b41b5931267fc818ff08

SHA256
6add2531fc05662418f48a46f522fa4507053ece8d0d94a04c0c213d27da81ce

SHA512
1f448e52f5aa81f30ecf10d6222fa0913ab7a5f3c0f2c7e6a9deb231e9bf55937c4fb0f84bbaeccdd9040e163ae371daec55eff48d633cd6d6bd409433fbf4f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7c7211c6ab078878929bb3683f705560

SHA1
5a52049f54692294392837b5922d865e9c407022

SHA256
bb9e2a89c0fc9574eac35f2b2c4bc696f3642fc96ff2fd1f6a2d3467784fbeff

SHA512
4d9b5d0053b0f57651c08084c87416d2ae8613b9ea74651e51f251e5d806f36c194735e4f6f3152d7c72592f60f2a7e971ee82c60410762472942823b1956c38

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
308b7da7ec377746fab239c88940c7ea

SHA1
62356f1d6078f5587c1e0fa2201b199ebfdd0372

SHA256
3c6e5a89529248f6074cab8ca705d7f399c2808e185a451f2520d767e7aecd77

SHA512
bfd886261d3c9ae90f40968acb30b229e8d6754768bee5430f246594b5f81952de101a572cedb84bd1ab9a39cb607ec981287e9e03ea45b829744c47ee9bc877

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
297aff64991480fd92a4ce9fb4d40807

SHA1
c586f7003f854f442db26448516e59826dfe41e9

SHA256
5137a62e031c71093a7d6c2684519614bb5eed80fd8daa92912f085a6ab82b8a

SHA512
f7a2fae80f26e6fb846ec9675c5a03932c8bd842d75f68cdb05c2f18e9397ed32774ce0a1f495e5618a5ce1b37e088c8991a69fb999559d1e2b0dd360cc96b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0192d17fea0102bde8e142aabd30379e

SHA1
f625075beef58c06ca68d43a3ba5cc1caa8efdfd

SHA256
98e8ea7a93d93f491f56d4026b5683e7fdeff25fe26f518e2e81a1319ef49719

SHA512
43002329c61c0fedc908a1838c1868573a5f6f64b4bad3295182b341562cd4b17710ce021e75157830b5b29d29141ae394b3addae4f8c180259f02cb44648163

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d6998fa6acf02bf81ca3b787bf2aac86

SHA1
c3c08503b40c243120c2815bec43823d1457c93f

SHA256
5f2a7d05a52819de3a4caa28c4b355ca484eea50de6ed9ce8078d244de25e365

SHA512
068536d1ae495d6610534c4536f6024b33bac2e935cb37f99668affefcb8d1fcd8c420e150b6e5807a58157eec83b24cc9017e7cb7b597a7523decdfbaf2a8e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f8db619ebe2f315356d8a3c1cb7ce863

SHA1
6a7be253323ec01b077ec2632a10159e39c17b2b

SHA256
99940aede45164365f56d6948655491bf5e5eaf8cc50400fe99620b5d3cd29c8

SHA512
6abc38a731254105c4f336ef9954159d7711889c704002838872473450f9077a940b4817cf36ae7fa04f08439a2acb53c9ab37c85e21c2981eab353379bf431a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0e6005a9dcb5a78d6fdd54527602f926

SHA1
90adc62e99f3c94c643596af0e17b5853b91fe1f

SHA256
847552b1ad30bd72f24acfe4afa5c326d3e79d7c2f147c958d72e92daca716da

SHA512
b4acfd81c1e926fcd305690aa3780bbec50460bcf947d17c20d6445faca4e774294b9da3a144207ccb3855e3ea2008a2d82ef691f32a4db6c7c3eb8202c6b568

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
787b9e88dcf607403e50a00864ad232d

SHA1
27eee947b3d89bc0e8fdb49efd836d42cc68062c

SHA256
17bdabc2be2a0a987530499fc863050f2a9160fa578dd0065af4b01af489ef16

SHA512
5ce329a3d876202ae59df82ff6574b625a67e798eca69b520de13977e3c9b203a7774bb23b4ddcb0a1f96e591044a02fc881ed21c1b058d8429fc40e51dbe2fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7d17fe32ed60a26bf5fa3a2efd708da2

SHA1
9bdc79cc797667964244824fd57340ea25a3612d

SHA256
488760eac9223146cdf5e9366b6b53b2bdac093e946dd8ca13a70b0e0d52042e

SHA512
cd72f534396098379577f4b702839454732807c2c461cbb27e679002711dfc854bbb2c7c9414b41be54c95a810be568dfb83a5dc64e951a33acf5309124b69c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9a62ae86b45db71dba3b2b5aa33796bd

SHA1
a739a929625dca74c1f820807e3a94020819ef72

SHA256
f32e502d18ae674e61b0adec801ea70d43013d86f031d5877a700b374de32bfb

SHA512
588ab4d83713a0ec4870d789fb9e86a67225764a132b1b704259b8e46f9d7a67184025597da521a30528925fd08b2338ff16265db959f1828627620051df3499

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5b650943c398e4a5ca1bd64bd8d4c1e9

SHA1
2757596adf7d52aa0c4af7c10242af9c54bcbd27

SHA256
9a1f3c7dc481564f1b9fb5439428d8d3067ed9c3102a434b1cfa2e1d73764bd0

SHA512
f1a2d4ac1a35b2698869e3cd2d8f505ece70f21589fc2f189315afa9ddee777ccd89c152a366dfab6ac06af72373f69714ba6a19e73a244998963f2eb428fbf5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8fda5456d1d37bc3ea5deeac1cb20a7c

SHA1
26a6690374de925b16bb69b48d2219e215b87b7b

SHA256
f4ccbe27c562a04cc7d92278817dac5c2c973998811c7d0a936174b9f61b13fd

SHA512
fa7ef91fb73f968ebd1de0eafd805991c39f73f63c1827ee1ebb4570d82ec9fad4bd5f8fe8cebcf8fb08d7ca6e9b44bf53ef4875e93307159eba2fd54a2d287a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
51ea37766ab6cde711c1ffdb25d2df8c

SHA1
3bc3f1640c188fe7dbc28902ea635085b7e1dee8

SHA256
097654e7dac16046feb087c7e025f5b3f2a08a99fd9a1aeac5f54e1d43918998

SHA512
2ceedba4c9093d7a1dca9b8e0c7964d5be77e462823c5773a583e4f1fd2ae7e97bca0c0d9becabba1b7bca6785c015367328e2dee8810c70fe40d42649182cf8

Download Submit
memory/704-156-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/704-56-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/704-54-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/704-227-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1120-205-0x0000000005A60000-0x0000000005BBF000-memory.dmp

Filesize
1.4MB

Download
memory/1264-34-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1416-141-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1416-149-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1476-235-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1476-228-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1520-104-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1520-108-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1536-163-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1564-206-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1564-213-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1612-94-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1612-86-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1684-189-0x0000000005C00000-0x0000000005D5F000-memory.dmp

Filesize
1.4MB

Download
memory/1872-79-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1896-84-0x0000000004650000-0x00000000047AF000-memory.dmp

Filesize
1.4MB

Download
memory/1896-85-0x0000000004650000-0x00000000047AF000-memory.dmp

Filesize
1.4MB

Download
memory/1936-180-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1936-173-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1968-103-0x0000000005CF0000-0x0000000005E4F000-memory.dmp

Filesize
1.4MB

Download
memory/1976-71-0x0000000005C70000-0x0000000005DCF000-memory.dmp

Filesize
1.4MB

Download
memory/1996-50-0x0000000005EF0000-0x000000000604F000-memory.dmp

Filesize
1.4MB

Download
memory/1996-53-0x0000000004890000-0x00000000049EF000-memory.dmp

Filesize
1.4MB

Download
memory/2024-244-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2192-128-0x0000000004630000-0x000000000478F000-memory.dmp

Filesize
1.4MB

Download
memory/2192-148-0x0000000004630000-0x000000000478F000-memory.dmp

Filesize
1.4MB

Download
memory/2248-114-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2248-122-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2256-55-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2256-65-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2312-236-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2312-243-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2324-181-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2324-188-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2344-165-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2344-172-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2372-113-0x0000000006020000-0x000000000617F000-memory.dmp

Filesize
1.4MB

Download
memory/2540-196-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2656-14-0x00000000059E0000-0x0000000005B3F000-memory.dmp

Filesize
1.4MB

Download
memory/2656-13-0x00000000059E0000-0x0000000005B3F000-memory.dmp

Filesize
1.4MB

Download
memory/2660-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2660-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2728-197-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2728-204-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2736-44-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2800-220-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2884-138-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2884-129-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3052-164-0x0000000005B70000-0x0000000005CCF000-memory.dmp

Filesize
1.4MB

Download
memory/3068-24-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download